Updating Ubuntu - remember to update AND upgrade

I'm putting this here to remind me ... as I'm old and often forget ...... wassat ?

So I've been doing lots of stuff with Ubuntu recently, including containers, Virtual Servers AND Virtual Machines ...

And I remember to run: -

sudo apt-get update

but then wonder why my packages don't get ... updated !

It's simple ... I've run the update which effectively refreshes the list of packages available .... but NOT remembered to run the corollary upgrade process: -

sudo apt-get upgrade -y

which actually performs the update ( or, if you will, upgrade to the updated packages )

I can concatenate this: -

sudo apt-get update && sudo apt-get upgrade -y

which does the job nicely.

If it helps, the auto-complete behaviour of most shells does help ....

Type sudo apt-get and then press the [TAB] key ...

sudo apt-get 

autoclean        build-dep        check            dist-upgrade     dselect-upgrade  purge            source           upgrade          

autoremove       changelog        clean            download         install          remove           update           

If I'm feeling really brave, I'll do this: -

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade -y

which upgrades the underlying Ubuntu distribution ....

But that's for the brave ! YMMV

Building Docker images for cache

When building a Docker image, it's useful to know that one can avoid the benefit of caching i.e. messages such as this: -


 ---> 790dcbffd65f
Step 2/3 : RUN apt-get update
 ---> Using cache
 ---> a9dadec81fda
Step 3/3 : RUN apt-get upgrade
 ---> Running in b0261d077b68
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...

This is especially useful when attempting to upgrade packages within an image, having previously built an image ...

I appreciate that I could've just deleted the existing images using docker rmi XXXXXXXX but this is a differently easier option: -

docker build --no-cache -t ubuntu -f Dockerfile .

With thanks to this: -

How to force Docker for a clean build of an image

Encrypted container images for container image security at rest

From IBM, we have this: -

Ensure the confidentiality of data and code in container images

This article addresses a remaining security concern for enterprises about the confidentiality of data and code in container images. The primary goal for container image security is to allow the building and distribution of encrypted container images for making them only available to a set of recipients. While others might be able to access these images, they cannot run them or see the confidential data inside them. Container encryption builds on existing cryptography such as Rivest–Shamir–Adleman (RSA), elliptic curve, and Advanced Encryption Standard (AES) encryption technologies.

Encrypted container images for container image security at rest

kaniko - Build Images In Kubernetes

One of my IBM colleagues mentioned Kaniko today

From the site: -

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster.

kaniko doesn't depend on a Docker daemon and executes each command within a Dockerfile completely in userspace. This enables building container images in environments that can't easily or securely run a Docker daemon, such as a standard Kubernetes cluster.

https://github.com/GoogleContainerTools/kaniko

IBM Systems Magazine - Secure Service Containers area Virtual Appliance Framework for Sensitive Workloads

I'm reading, and re-reading, this: -

IBM Systems Magazine - Secure Service Containers area Virtual Appliance Framework for Sensitive Workloads

ready to present on the whole wonderful world of containers on IBM Z at the MainframerZ gig tonight: -

MainframerZ meetup at Mediaocean

One thing led to another: -

LPAR and PR/SM

I love rabbit holes ......

IBM Z defines the future of hybrid cloud

Some useful insights on the ever-moving world of IBM Z, including: -

Tailored Fit Pricing for IBM Z
...
The hallmark of this model is that pricing adjusts with usage, removing the need for complex and restrictive capping, and includes aggressive pricing for growth. The capacity solution, also part of Tailored Fit Pricing, enables clients to mix and match workloads to help maximize use of the full capacity of the platform. At the end of the day, Tailored Fit Pricing is designed to both unlock the full power of the platform and ensure optimal response times and service-level agreements, 24/7.
...

IBM z/OS Container Extensions

...
We’re giving our customers the ability to run Linux on IBM Z Docker container in direct support of z/OS workloads on the same z/OS system.
...

IBM z/OS® Cloud Broker

...
IBM z/OS Cloud Broker is designed such that cloud application developers can provision and deprovision z/OS environments to support the app development cycle.
...

and then there's my very own product-set ( well, not JUST mine, I'm just ONE of the engineers !! ): -

IBM Cloud Hyper Protect

...
Hyper Protect offers a range of on-premises and off-premises deployment choices for extending IBM Z services and data—while balancing performance, availability or security.

Next month, for example, Hyper Protect Database as a Service (DBaaS) will launch. DBaaS will support cloud-native developers by providing both PostgreSQL and MongoDB Enterprise Advanced database choices. It also provides the highest level of commercial data confidentiality for sensitive data, FIPS 140-2 Level 4.2
...


IBM Z defines the future of hybrid cloud

Practising Clean Code in Node.JS

One of my friends hosted a rather excellent Lunch and Learn session today, talking about the benefits of Clean Code, and referenced a book by Robert C. Martin, named: -

Clean Code: A Handbook of Agile Software Craftsmanship

We had a good debate about the advantages and disadvantages of comments in code, given that we can / should have self-describing variable and function names.

The debate continues apace; my personal view is that comment should serve to describe WHY I did something, rather than HOW and WHAT, which absolutely should be self-describing.

I'm thinking about this from the perspective of future support i.e. "Why did Dave do it that way ? Oh, because time was short, or Stack Overflow was down, or the code wasn't intended to live forever" 🤣

Meantime, my friend, Aiden, has written a much more well-informed piece here: -

Practising Clean Code in Node.JS

Go read, and let the debate continue .....

IBM Cloud Blog

Including content such as: -

IBM Cloud Virtual Private Cloud (VPC) Is Now Generally Available

We’re pleased to announce IBM Cloud VPC is GA in the Dallas, Frankfurt and Tokyo regions.

Tutorial: Virtual Private Cloud with Public and Private Subnets

A new solution tutorial covering virtual private cloud with public and private subnets.

Recap: KubeCon 2019 (Barcelona)

Looking back at the highlights of KubeCon + CloudNativeCon Europe 2019.

How to Choose a Database on IBM Cloud

Finding the right tool for the right job is an increasingly challenging decision.

https://www.ibm.com/cloud/blog

Apple and HP - Not playing nicely - AirPrint and Bonjour and WiFi bands

Fun discovery after new ADSL modem/router/WAP acquisition ..... Draytek Vigor 2762ac .... AirPrint to HP deskjet via Bonjour gets borked ....

I couldn't print from my iOS devices, unless I brought them close to the printer ....

Long story short, new WAP has two WiFi bands ( 5 GHz and 2.4 GHz ) ... both bands sit on the same SSID, so there appears to be one WiFi....

It looks like printer was connecting to one band, and iOS devices were connecting to the other .... when they're NOT in the same room as the printer ( which is ~15 feet diagonally away from the WAP )

I checked this with the router's web UI, which shows devices connected to each band ... the printer always sits on the 2.4 GHz band .....

The iOS devices sit on the 5 GHz band, when they're closer to the router, but switch to the 2.4 GHz band when I move them upstairs to the study/computer/printer room

I'm assuming that Bonjour doesn't "like" crossing between the two bands i.e. if the printer is sitting on one, the iOS devices can no longer see it

I temporarily mitigated this by disabling the 5 GHz band ...

#EveryDayIsASchoolDay

Glide and Permissions - "Unable to update repository: exit status 255"

When using Go and Glide, one may see messages such as this: -

[WARN] Download failed.
[ERROR] Update failed for github.com/gorilla/securecookie: Unable to update repository: exit status 255
[WARN] Download failed.
[ERROR] Update failed for github.com/gin-gonic/gin: Unable to update repository: exit status 255
[WARN] Download failed.
[ERROR] Update failed for github.com/dgrijalva/jwt-go: Unable to update repository: exit status 255
[WARN] Download failed.
[ERROR] Update failed for gopkg.in/mgo.v2: Unable to update repository: exit status 255
[ERROR] Failed to do initial checkout of config: Unable to update repository: exit status 255
Unable to update repository: exit status 255
Unable to update repository: exit status 255
Unable to update repository: exit status 255

during the glide update process: -

glide update

Chances are it's permissions related ....

I saw this today - thinking that it might be a cache issue, I tried to clear the Glide Cache: -

glide cc

which failed with: -

[ERROR] Unable to clear the cache: unlinkat /home/hayd/.glide/cache/src/https-github.com-googleapis-gnostic/discovery/discovery.proto: permission denied

which reminded me that I'd been going back and forth between my non-root user and root ( via sudo ).

I fixed this as follows: -

sudo chown -R hayd:hayd /home/hayd/.glide

and then re-ran: -

glide cc

which worked as expected: -

[INFO] Glide cache has been cleared.

I was then able to update the Glide dependencies: -

glide update

Nice !

Book Review - You'll See This Message When It Is Too Late - The Legal and Economic Aftermath of Cybersecurity Breaches

This is another of my irregular series of book reviews for the British Computer Society (BCS), who kindly provided me with a review hard-copy of this publication.

You'll See This Message When It Is Too Late
The Legal and Economic Aftermath of Cybersecurity Breaches

By Josephine Wolff

https://mitpress.mit.edu/books/youll-see-message-when-it-too-late

The title of this book gives away the core message, but in a very subtle way.

During the first few chapters, the author, Professor  Josephine Wolff, walks through a number of high-profile security incidents, affecting public and private sector organisations as diverse as the US Office of Personnel Management, the certificate authority, Diginotar, and the dating website, Ashley Madison.

In each case, she describes the technical details of the security breach, the political and organisational landscape of the affected organisation, the key stakeholders ( employees, customers, interested parties ) and, most importantly, how the incident was reported, mitigated and defended, the latter in the context of the personal, political and financial ramifications.

For me, as a technologist, whilst I initially thought that I was seeking a technical and deep-dive analysis of security breaches, this book made me appreciate the deeper impact of such a breach, especially in the way that organisations seek to spread the blame far and wide.

Additionally, Professor Wolff spends a fair amount of the book looking at the instigators of each breach, and explains how their motives vary from financial gain ( perhaps easier to understand ) to political and strategic aims ( espionage and geopolitics ).

This makes the book a very compelling read, and emphasises why this should be on the required reading list for anyone responsible for, or even just interested in, information security.

The book serves to provide a very credible alternative to the image of IT security portrayed by television and the cinema, and sits nicely alongside the reportage provided by the information security industry, and the journalists and analysts who report on it's trials and tribulations.

I sincerely recommend this to anyone with more than a passing interest in information security, and give it 10 out of 10 for breadth, depth and detail.

MainframerZ meetup at Mediaocean in London - Thursday 20 June 2019

Just a reminder that we're only three weeks away from the next MainframerZ Meetup ....

Here's the deets: _

MainframerZ meetup at Mediaocean

and here's the current agenda: -

• Dave Hay - The flexibility of the Cloud, the popularity of Linux, PLUS the security of the Mainframe - A brief exploration of Hyper Protect Services
• Andrew Schofield /Kate Stanley - Unlocking messages from MQ on z/OS into Apache Kafka without freaking out the Sys Admin
• Melvyn Maltz - Mainframe development, some Assembler required
• Mark Wilson - Mainframe pentesting war stories
• Stuart Ashby - TLA all the way

We'd love to see you there ....

Just go here: -

MainframerZ meetup at Mediaocean

and register.

It's been a while - C++ and the case of the missing headers

Whilst trying to compile some code on my Linux box which, of course, is an IBM mainframe running Ubuntu, I was seeing this: -

/usr/include/features.h:424:12: fatal error: sys/cdefs.h: No such file or directory
 #  include
            ^~~~~~~~~~~~~
compilation terminated.

I'd started with a clean-but-minimised Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-36-generic s390x) environment, and had installed vim: -

sudo apt-get install vim

to create a test CPP source file: -

vi test.cpp

#include
#include
int main()
{
        printf("TESTING");
        return 1;
}

but, when I attempted to compile it: -

g++ --verbose -o test test.cpp 

I saw the previously quoted exception.

I checked that I had libc installed: -

sudo apt-get install libc6-dev

sudo apt-get install libc6

I did check the missing file: -

sudo find / -name cdefs.h

which returned: -

/usr/include/sys/cdefs.h

ls -al /usr/include/sys/cdefs.h

lrwxrwxrwx 1 root root 30 Apr 16  2018 /usr/include/sys/cdefs.h -> ../s390x-linux-gnu/sys/cdefs.h

which gave me a clue ...

After some digging around, I found this: -

How do I find the package that provides a file?

on AskUbuntu, which referenced the apt-file command: -

sudo apt-get install apt-file

sudo apt-file update

Having installed it, I ran it: -

apt-file find cdefs.h|grep s390

which showed: -

libc6-dev: /usr/include/s390x-linux-gnu/sys/cdefs.h

libc6-dev-s390: /usr/include/sys/cdefs.h

libc6-dev-s390x-cross: /usr/s390x-linux-gnu/include/sys/cdefs.h

Taking a leap o' faith, I installed the s390 element of libc6-dev: -

sudo apt-get install libc6-dev-s390

but to no avail.

I then did the same for the s390x-linux-gnu element: -

sudo apt-get install libc6-dev-s390x-cross

which did the job.

I'm now able to compile my test module and, more importantly, I'm able to build the Docker image that led me down this particular rabbit hole ( as it uses LuaJIT )

IBM Cloud Private 3.2 is out ! With added Multicloud Manager....

From the announcement letter here: -

IBM Cloud Private V3.2 adds IBM Multicloud Manager, an integrated solution purpose-built to help modernize your applications to cloud native deployments

and the feature list includes: -

IBM Cloud Private V3.2 brings an integrated platform for developing, modernizing, and managing containerized applications:

•     Provides an integrated cloud platform for enterprise workloads that need to be securely run behind your firewalls
•     Enables development and production of cloud native applications in a private cloud
•     Enables refactoring and modernization of monolithic or legacy enterprise applications
•     Provides security-rich toolsets to integrate to public cloud services from within your data centers
•     Features application analytics, integration, monitoring, and security tools that are ready for immediate use to consistently manage IBM and non-IBM based workloads, providing a consistent and resilient way to build, deploy, and manage applications
•     Includes IBM Cloud Automation Manager, IBM Microclimate, IBM Transformation Advisor, and IBM Vulnerability Advisor
•     Brings one cloud experience for clients with hybrid cloud integration
•     Provides IBM Content for Red Hat OpenShift Container Platform (RH OCP) - Cloud Packs and Solution Packs
•     Extends its use cases to edge computing, specifically edge servers and gateways
•     Upgrades directly from previous versions of IBM Cloud Private V3.x.x to IBM Cloud Private V3.2

and: -

Multicloud Manager V3.2 is an enterprise-grade, multicloud, multicluster management solution, purpose-built to address the policy, compliance, and application management challenges of multiple clusters:

•     Set and enforce polices for security, applications, and infrastructure (auto enforcement at cluster level)
•     Streamline application management with Cross Cloud Security Dashboard, Management Console, and policy-based application movement
•     Check compliance against deployment parameters, configuration, and policies
•     Automatically remediate violations
•     Deploy applications across clusters based on policy compliance, development versus test, and so on
•     Automatically update monitoring dashboard based on deployment
•     Understand failure dependencies and identify the affected system if a shared component fails

As a MainframerZ I'm aiming to run it on IBM Z as soon as I can ....

Watch this space .......